Hello. I’m Rahmos. Here is my Academy — HackTheBox — WriteUp. Check it out!
First add academy.htb to your /etc/hosts, then nmap to see opened ports on this machine:
nmap -A -T4 -p- -v <ip>
There are 3 ports opened: 22(SSH), 80(HTTP) and 33060(mysql).
First, let’s access the website at port 80:
I’ve checked the page source (Ctrl + U), but nothing valuable. Next, scan for hidden dirs using gobuster:
gobuster dir -u http://academy.htb -w /path-to-wordlist
I need credentials to login. I haven’t known the credential yet, so just register a account and login. I will register an account called “customer”.
After login, I’ve entered the page as “egre55”.
I tried to register another account: “customer2”, and login, and I’m also in as “egre55”. Which means, the website uses cookie (PHPSESSID) for authentication. No matters what account you register, if it’s a non-admin account, it will have the same PHPSESSID. So that, there’s only one non-admin account inside the web’s database: “egre55”.
Let’s take a look again from the register, I’m gonna catch the request with Burpsuite. I will register another account, called “admin3”. Here’s the request in Burp:
Ok so the “roleid” is which I need to manipulate. In the database, it will look like this:
So I will change the “roleid” to 1 and forward the request. Then, access /admin.php and login with the account I’ve just registered:
And yes! I’m in the admin-page! Look at the last line, I’ve known another subdomain, and this subdomain has some issue. So let’s add this subdomain into your /etc/hosts, and access it. Here is the dev page:
Scroll down and look closely, I’ve seen some sensitive information:
The app name is “Laravel”. Look on Google for exploit and I’ve found a Metasploit module. Let’s go ahead and “msfconsole”!
Use it. Type “options” to set needed field, and what you need to set is:
APP_KEY: paste the app key in the dev page above
RHOSTS: the machine’s ip
RPORT: The website’s port
LHOST: Your VPN-ip
LPORT: your listener port
VHOST: the subdomain name
After everything is set, “run”
I’ve got the shell into the machine! Spawn a tty shell using python:
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
2/ User flag
Move around to view users:
Ok so there’re 7 users (include root).
The user.txt flag will be inside cry0l1t3 folder:
However, I cannot read it right now due to permission. So I have to find a way to be cry0l1t3.
Let’s try login to mysql with the credential I found:
Well look likes I don’t have the permission to mysql. Next, I’ll transfer the “linpeas” script to enum the machine.
First, start a http server on your machine:
python3 -m http.server 9000
Then from the target machine, cd /tmp and:
chmod +x linpeas.sh
Read the result. Scroll down and you’ll see more sensitive information:
After a while, I’ve found another mysql credential inside /var/www/html/academy/.env: mySup3rP4s5w0rd!!
Try to login with that credential but still not working! 😐
Enum and enum again, finally I found the mysql’s credential for root inside /var/www/html/academy/public/config.php: GkEWXn4h34g8qx9fZ1
Login successful! Now it’s time to find users’ password.
Put all the hashes to crackstation to decrypt:
However, it’s only the password for web’s users, not what I’m looking for. I’m really stuck here… 😣
Take a look again, the password: mySup3rP4s5w0rd!! cannot be used to login to mysql, but let’s try to su cry0l1t3 with this password? Why not?
It works! Let’s get the 1st flag!
3/ Root flag
Now I’ll find a way to own root. First, sudo -l to check if I can sudo:
Well I can’t. So let’s find anotherway.
I’m in the “adm” group, and users inside “adm” group can view logs inside /var/log:
So again, run the linpeas.sh script to enum the log, and I’ve found this:
Looks like it’s mrb3n password! Let’s try su to him:
Ah yes! It’s the correct password!
Now let’s see if mrb3n can run sudo:
Yes, he can run composer as root. Reference to gtfobins, run these commands to own root:
Now run these commands in order:
And I’m root! Get the final flag in /root/root.txt:
cd /root and there’s also another message for you!